> > Nowhere of course, except in my head. The whole idea is to ask the user
> > for the password each time it is required and not memory-cached (expired
> > for instance). But is *only* asking for *a* single password. Very
> > different than asking for a login and a password possibly different
> > depending on which server the connection is made to.
>
> Sorry, but I don't like that idea. Asking the user for a "master"
> password everytime the computer starts up and a subversion client is
> used for the first time - that's like having the auth data not stored at
> all. I'd rather have the data stored as plaintext as it is now... :(

Stefan, I have in mind a caching for some time (configurable). svn
command line client would have to ask the password each time it is run
and requires an auth for the action. It could not cache the password as
the executable dies after each run.

TSNV on its side (as it 'runs' in explorer as long as explorer runs)
might keep a cache of that password for some minutes. If you have used
PGP that's the "cache passphrase" system. You can set for how many
minutes you accept it keeps the password cached. Keeping the password in
cache (in memory and obfuscated) is not totally secure, but it's much
better than storing it on disk. Paranoiac people might set cache
expiration to zero and be asked for the password each time it is
required (to lookup the auth details and use them).

The goal is not to be paranoiac and protects from attackers able to
analyze process memory space. The goal is to *never* store on disk in
any way the auth-info-store master password, so to protect people from
themselves.

Take a look to Mozilla Firefox and the way it stores web forms login and
passwords. You can leave the systme insecured where the auth-store is
unprotected. But you can password protect the auth-store. When done,
each time the browser wants to use an auth (login/password for instance)
from the store to access some page, it asks you for your master password
(unlocking temporarily the store). Advantage: you need a single password
to access tens of different servers and forms. And your auth info for
all these sites is not stored in clear text. Without the single master
password, nobody can use your auth info should they get a copy of it.

> > I'll have a look in there over the next days to see how that part of
> > subversion code is architected.
>
> Check out libsvn_subr\config_auth.c
> that's where the auth data gets read from and wrote to disk.